How GDPR will affect you as a SME business

Posted by Katie Porter

Posted by:

Date:

There is only eight months to go! In case you are only now hearing about GDPR (and you’ve somehow missed our amazing two blog posts already), here is a quick breakdown of what it's all about...

Overview

In May 2018, the European Union's General Data Protection Regulation (GDPR) is coming into force, meaning that there are a lot of new compliances around consent and personal data that companies will need to consider. Under the new GDPR compliance, each person has to give their explicit instruction of whether they give consent for their personal data to be used. As the internet has grown, there is now more data than we know what to do with, therefore new data protection regulations are needed to control this data.

Does it affect SMEs?

YES! GDPR applies to anyone who deals with EU personal data. It isn't just the large companies that will be affected by GDPR, SMEs are also impacted and there are multiple things you can start doing now.

A good starting point is the process of Data Mapping. You can start by outlining what data you have, why you have it, where it is stored and who has access to it? Also, you need to distinguish if you have explicit consent to be storing this data? It may seem like a big task but the sooner you start the easier this will seem, you still have eight months to go but it’s important to get started now!

Accountability and transparency are the two most important things to consider when thinking about GDPR and personal data. As an SME you are accountable for the data that you store, and must be transparent about what data you have, and why and how you have it. Something that SMEs should consider is Cloud Vendors. If you store your data in the cloud, you will want to draw up a data processing agreement and a security policy to ensure that the data remains secure.

What about your own employee data?

Employee data should already be treated in a sensitive and secure manner, but this data is also included under GDPR. Employee data comes in many forms and can be stored in multiple ways, such as electronic data, printed contracts, background checks, health insurance policies, bank details, paper documents etc.

It is important to have a data retention policy in place to detail how and where personal data is being stored. As the amount and type of data that you store changes, it is crucial to assess this policy each year and make the necessary amendments. Don't forget, accountability and transparency is key!

What about the data you have already gathered?

If you went to an event three years ago and gathered some data but don’t have evidence of explicit consent given, you will have to regain explicit consent if you want to store and use this data under the new GDPR ruling. There are a couple of ways you can reconnect with these people and gain their consent for the data to be used, examples include;

Reach out with a newsletter containing company updates.

Offer something to the people you are trying to reconnect with, a discount on a product/service.

At the end of the communication you can include a tick box for the individual to choose to give their explicit consent for the data to be gathered. You can be creative when reconnecting and gaining consent for old data gathered, plus it’s a great way to know that your business is marketing to the correct people. Your KPI’s will be more accurate and you will know that the people receiving your communications want to know about your company and will appreciate your transparency.

What you can do between now and the end of the year

Before 2017 draws to a close and you enter 2018 with the roll out of GDPR fast approaching, there are a number of things you can do to set yourself in a good place to enter the new year:

Do your data mapping! Know where your data is stored and what your plan is going forward. This will allow you to clearly see what steps you need to take next.

Know whose data you have, and distinguish how much of that data has explicit consent supplied for it and what doesn't.

Draw up a data retention policy for your internal employee data.

Set out a training plan for people within your business who will be handling personal data, ensure that they know about the requirements of GDPR.

Don’t forget….

Everyone is in this together! Speak to other people in your industry and discuss how they are preparing for GDPR, you may be able to learn from each other. Everyone who deals with EU personal data is facing the same issue, just on different scales. Some big businesses are yet to start preparing, so relax, know the processes you need to take and let’s get started.